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Michael Perklin 



Digital Forensic Examiner 
Corporate Investigator 
Computer Programmer 
eDiscovery Consultant 



! Basically - A computer geek + legal 
support hybrid 



Typical 
Methodologies 




Copy First, Ask Questions Later; or 



Assess relevance first, copy if 
necessary; or 



Remote analysis of live system, copy 
targeted evidence only 



The approach o 
Private Firms 




- Copy everything; leave originals with 
the client 

1 (unless repossession is part of 
the job) 




Have to respect the property of 
custodians 





The approach of 
Public Agencies 






$ "Gung Ho" 






& Seize everything that may be relevant 






^ Copy everything when safely in their 
lab on their own time 






* Less pressure to return items 






Typically longer turnaround times 
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Typical Workflow 



Create 
Working 
Copy 



Process Data 
For Analysis 



Separate Wheat 
from Chaff 



Analyze Data 
For Relevance 



Prepare Report 
on Findings 




Archive Data 
For Future 



Create Working Copy 

- linage the HDD 

- Copy files remotely for analysis 
Process Data 

- Hash files 
-Analyze Signatures 

Separate Wheat 

- De-NIST or De-NSRL 

- Known File Filter (KFF) 

- Keyword Searches 
Analyze For Relevance 

- Good hits or false positives? 

- Look at photos, read documents, analyze spreadsheets 

- Export files for native analysis 

- Bookmark, Flag, or otherwise list useful things 
Prepare Report 

- Include thumbnails, snapshots, or snippets 

- Write-up procedures (Copy/Paste from similar case to speed up workload) 

- Attach appendices, lists, etc 
Archive Data 

- Store images on central NAS 

- Shelve HDDs for future use 



#1. Create a Working 

Copy 

Confounding the first stage of the 

process 



1 
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AF Technique #1 






Data Saturation 






^ Let's start simple 






* Own a LOT of media 






. * Stop throwing out devices 




II 


* Use each device/container for a 
small piece of your crimes 






^Investigators will need to go through 
everything 
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AF Technique #2 
Non- Standard RAID 

^Common RAIDs share stripe patterns, 
block sizes, and other parameters 

^This hack is simple: 
Use uncommon settings! 

f * Use uncommon hardware RAID 
controllers (HP Smart Array P420) 

* Use firmware with poor Linux support. 
Don't flash that BIOS! 
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Non-standard RAID controllers sometimes allow you to choose arbitrary blocksizes (not 128 or 256, but how about 287?) 
This can force an examiner to take a logical copy using seized hardware 



Less damaging for Public sector, can be very expensive for Private sector 







; ® [Diagram/screenshot of improperly- 
reassembled stripes] 






Odd or Even? 






*1, 2, 3,, 4? 






*'2., 4, 1, 3? 






^ Little Endian or Big Endian? 
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Mitigating 






Non-Standard RAIDs 






& De-RAID volumes on their own system 




1 


^ Use boot discs 






^ Their hardware reassembles it for you! 






^ If it doesn't support Linux, use 






Windows! Windows-Live CD! 






^ Image the volume, not the HDDs 
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#2. Process Data for 
Analysis 



Confounding the processing stage 



Create 
Working 
Copy 



Process Data 
For Analysis 



Separate Wheat 
from Chaff 



Analyze Data 
For Relevance 




Prepare Report 
on Findings 




Archive Data 
For F jture 







AF Technique #3 
File Signature Masking 



File Signatures are identified by 
file headers/footers 

* "Hollow Out" a file and store your 
crime inside 

^ Encode data and paste in middle of a 
binary file 
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MZ for EXEs 
PDF for PDFs 
PK for Zips 
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JPG File Internals 




Mitigating 
File Signature Masking 



Use "Fuzzy Hashing" to identify 
potentially interesting files 

FTK supports this out-of-the-box 

^ Analyze all "Recent" lists of common 
apps for curious entries 
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#3. Separate Wheat 
from Chaff 

Confounding the sifting process 




Talk about NRSL, date filtering, deduplication and other sifting/culling techniques 



Background: NSRL 

^National Software Reference Library 

* Huge databases of hash values 

* They strive for complete coverage of 
all commercially available software 

* Every dll, exe, hip, pdf, dat file 
installed by every commercial 
installer 

Used by investigators to filter 
"typical" stuff 



AF Technique #4 
Rendering NSRL Useless 

^Modify all system and program files 

*• Modify a string .in the file 

* Recalculate and update the 
embedded CRCs 

* Turn off Data Execution Prevention 

(dep) ^^X^h^^&M 

^ NSRL will no longer match anything 
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National Software Reference Library 



Data 
Execution 
Prevention 

Validates system files 
Stops unsafe code. 
Protects integrity 




Mitigating 
Rendering NSRL Useless 



^Search, don't filter 

f * Identify useful files rather than 
eliminating useless files 
(i.e. Whitelist approach vs 
Blacklist) 
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AF Technique # 
Scrambled MAC Times 

All files store multiple timestamps 

Modified - the last write 
Accessed - the last read 
Created - the file's birthday 

Randomize every timestamp (ie 
Timestomp) 

"Disable time updates in registry 



* Randomize BIOS time regularly 
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#4. Analyze Data 



Confounding file analysis 



Separate Wheat 
from Chaff 



Prepare Report 
on Findings 



Sometimes files can't be analyzed completely inside FTK/Encase/tool 

Files are commonly exported to a temporary folder for external analysis with other tools 

Badguy files exist on the analysis machine natively instead of isolated within an image 

This can cause problems, and not just the obvious problems with viruses... 



1 


AF Technique #6 






Restricted Filenames 






* Even Windows 7 still has holdovers 
from DOS days: Restricted filenames 






~' : * ' CP^; : * >;[\ / . -~ \ , . * ' " 
PRN 
AUX 
NUL 
C0M# 
LPT# 






^ Use these filenames liberally 





29 



Mitigating 
Restricted Filenames 




Never export files with native 
filenames 

Always specify a different name 

! FTK does this by default (1. jpg) 

xport by FilelD or autogen'd name 
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i m 






Circular References 






* Folders in folders have typical limit 






of 255 characters on NTFS 






"Symbolic Links" or "Junctions" can 






point to a parent 






S;G : \Parent\Child\Parent\Child 












* Store criminal data in multiple 






nested files/folders 
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Circular 



References 



Many tools that recursively scan 
folders are affected by this attack 



Some tools don't bat an eye (FTK4) 




Mitigating 
Circular References 

Do not export folders for analysis 
Only export files themselves 




atten" the export of all nested 
files into one common folder 
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AF Technique #8 
Use Lotus Notes 



NSF files and their .id files always 
give problems 

* There are many tools to deal with 
NSFs 



5 Every one of them has its own 
problems 



Lotus Notes 




[Diagram comparing notes dll use] 

Most apps that support .NSF files use 
the same IBM Lotus Notes dll 



If anyone knows how to use their API, 
it's IBM themselves 




ain yourself on Lotus Note 

not rely on NSF conversio 

tus Notes is the best NSF 
t has its quirks 

ce you know the quirks you c 
vigate around them 



#5. Report Your 
Findings 

Confounding the reporting process 




AF Technique #9 
HASH Collisions 



9 MD5 and SHA1 hashes are used to 
identify files in reports 

Add dummy data to your criminal files 
so its MD5 hash matches known good 
files 

* Searches for files by hash will yield 
unexpected results 



Hash Collisions 




Of course, this would only be useful 
in a select few cases: 

^i.e. you stole company data and 
stored on a volume they could 
seize/search 
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Mitigating 
HASH Collisions 



( * Use a hash function with fewer 
collisions (SHA1, SHA256, Whirlpool) 

* Doublecheck your findings by opening 
each matched file to verify the 
search was REALLY a success 



boy would your face be red! 



AF Technique #10 
Dummy HDD 



'Have a PC with an HDD that isn't used 




USB-boot and ignore the HDD for 
everyday use 

""Store work on cloud/remote machine 

Manually connect to address each day 



II 



Automate dummy writes to local HDD to 
simulate regular usage 
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Mitigating 
Dummy HDDs 




5 Always check for USB drives 
They can be SMALL these days 

* Pagefile on USB drive may point to 
network locations (if the OS was 
paging at all . . .) 

If possible, monitor network traffic 
before seizure to detect remote drive 
location 







Questions 






• * Have you encountered frustration in 






your examinations? 






How did you deal with it? 






* I'd love to hear about it in the 






speaker room! 
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